Unfortunately data security breaches are becoming more and more common which means that UK businesses are being forced to reevaluate their cyber security practises and data leak protection schemes. The issue of UK data security breaches is especially apparent given the fact that, in October, British Gas was the last of three companies (including Marks & Spencer and TalkTalk) to fall victim to a data breach in the space of a week. It is important that we learn from these breaches and that businesses do everything they can to avoid it happening to them.
British Gas did assure customers that the leak of their email addresses and account passwords was not a result of a cyber attack on the company and that none of their payment data was at risk. However, this did not assure consumers, who would have already heard about Marks & Spencer customers being able to see each other’s account details and the compromised personal information of four million TalkTalk customers.
Even though both British Gas and Marks & Spencer have claimed that their breaches happened as a result of internal error, rather than a third party attack, it is of vital importance that businesses now step up their security measures to keep the trust of their consumers. Richard Pharro, chief executive of APMG, suggests that it is a company’s board that must take responsibility for cyber security and that it is unacceptable for a director to claim to have no understanding of the security policy. He believes that many directors are under the false illusion that their company’s compliance with standards mean that they are sufficiently protected, but this is not true.
Compliance to security standards does mean that in low-risk situations businesses are safe. However, this compliance gives no indication to the potential risks that face the company and it is important that these risks are regularly reassessed to avoid being caught out. In fact, a recent survey showed that 9% of data security mishaps have occurred as a result of employee fault, which means that no matter how much companies do to prevent outside threats from third party attackers, it is equally important to address the danger of risks within the business itself.
Even though the current fine for a UK company that breaches the Data Protection Act is £500,000, some people suggest that it is not high enough to scare businesses into taking their cyber data security more seriously. However, the European Commission have planned changes for next year, including the General Data Protection Regulation which means companies will be fined up to €100 million or 5% of their annual turnover if they breach the act.
These more stringent rules mean that your company should reassess its current data security policy, ensuring that all employees are trained up to standards and are aware of consequences of any mistakes, finding any solutions that need to be addressed and patching up any holes that may exist. Failure to do so could mean both financial payment and payment in the loss of the trust of your customers.